#+TITLE:GPG Cheatsheet
#+AUTHOR:Joshua Branson
#+LATEX_HEADER: \usepackage{lmodern}
#+LATEX_HEADER: \usepackage[QX]{fontenc}
#+OPTIONS: H:10 toc:nil

* Introduction
Gnu Privacy Guard (GPG) is a tool for securing communicating with someone else.  Traditionally, every user of GPG has a public key and a private key.  In order to communicate everyone should share their public key, but you always want to keep your secret key, secret.  Your public key is like a safe.  When Bob wants to send you a message.  He uses your public key to put your message in the safe.  You then use your private key to open the safe.  Since you are the only person that has your private key, you are the only person that can read the message Bob sent to you.

Most users, probably do not need to specify a date that your key expires.  You can keep your key forever, if you so choose.

A key has at least one user ID associated with it like a name and email address, but it is possible to add more later.

A Revocation certificate, is a generated file that I should share with my friends if I lose my private key.  It will mean that my friends should stop using the old key to encrypt messages to me.  BUT if I still have the compromised private key, I can still decrypt encrypted messages that were sent with that key.



* receive gpg keys:

#+BEGIN_SRC bash
gpg --recv-keys 0x7BD63126
#+END_SRC

#+RESULTS:
* list keys
#+BEGIN_SRC sh :results output :export code
gpg --list-keys
#+END_SRC

#+RESULTS:
#+begin_example
/home/joshua/.gnupg/pubring.kbx
-------------------------------
pub   rsa2048 2016-05-17 [SC] [expires: 2017-05-17]
      AAD617F76D505C188A558D0BC8FA3D82C7B1326F
uid           [ultimate] Joshua Branson (This is my hotmail gpg key.) <bransoj@hotmail.com>
sub   rsa2048 2016-05-17 [E] [expires: 2017-05-17]
sub   rsa2048 2016-09-09 [A] [expires: 2018-09-09]

pub   rsa4096 2010-07-21 [SC] [expires: 2016-11-15]
      A4626CBAFF376039D2D7554497BA9CE761A0963B
uid           [ unknown] William John Sullivan <johns@gnu.org>
uid           [ unknown] William John Sullivan <johns@fsf.org>
uid           [ unknown] William John Sullivan <johns@debian.org>
uid           [ unknown] William John Sullivan <john@wjsullivan.net>
sub   rsa4096 2010-07-21 [E]

pub   rsa2048 2014-07-08 [SCA] [expires: 2019-07-07]
      3841FFC6AEB62783D42EE5AEAF241CE008FFB3A4
uid           [ unknown] Jeanne Rasata <jrasata@fsf.org>
sub   rsa2048 2014-07-08 [E] [expires: 2019-07-07]

pub   rsa2048 2013-02-22 [SC]
      6E4574DBAE662DF315AEDE6ED26FFEC1474FA472
uid           [ unknown] Jeann Rasata <rms-assist@gnu.org>
sub   rsa2048 2013-02-22 [E]

#+end_example

My userID is then C7B1326F
* Export your public gpg key
#+BEGIN_SRC sh :results output :export code
gpg --armor --export bransoj@hotmail.com > bransoj.gpg
cat bransoj.gpg
#+END_SRC

#+RESULTS:
#+begin_example
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQENBFc7GcUBCAC4MLbnQJ2Hjh3xBRcTupmJuzFJzu8zx6bb0GBzucg+gDZ0PES9
pZWW7vekeoqkoFImeo/eaEzYSzqCdFb/p02mWEjpP4+DPv2qRYbDg3xGdvlxkPqi
MmdiOCRaAdEBKtAaPJdm1yio2I5zVqK0fBumdrL47UTpeh4IZF1h+srKZNY7Ylaq
E8FhjTVJLAaVbcC84xzAP+pJSHwu8jR/xJEo/p/GCMFd1TiOKEl+7imogd1iJRNC
1pRS52CAqYO5GPUOu5bLMC0O3npiJCcebJ84oaIwu7YPjsUv/ZXKbw2Bw8Sg9ZZD
uUASdB8K2FFidJByV3q5UB58Tv1JSAg5xEepABEBAAG0Qkpvc2h1YSBCcmFuc29u
IChUaGlzIGlzIG15IGhvdG1haWwgZ3BnIGtleS4pIDxicmFuc29qQGhvdG1haWwu
Y29tPokBPQQTAQgAJwUCVzsZxQIbAwUJAeEzgAULCQgHAgYVCAkKCwIEFgIDAQIe
AQIXgAAKCRDI+j2Cx7Eyb0LyCACw2SR+pavE3RzSo86zy/mRFLn+UkpmYXqBp8sB
j24ogRs2kI0VeM1kS1tKZ6h9IsWFuiQHtCCgD17mGmxZ51Uvx27aWfzlN91gmY4C
DpZVX3PAZ4h5Q2jWNhkZE1K3U8GBzApYnwN0uJ5CT+oiLweCOQJqwDdKfalAwoH+
/eTbezip8DTD5hgaBu3day6LyJ6ajDIYL6jn/uUcXhGrykBUjqfe3rpeIRSjIlAt
PwzBWlceRAYGgpUi6g5SBpjG6vP53X91U3fN7qqy6YNzLW3iGa9a/p7AsTBZFLgp
E0VtN42uOJ2Vc8UhD3wdeYqf6HxUTpDoviDoc608SJuALUK8uQENBFc7GcUBCADE
a5JosRi4VX4VYUdzXDhgoCRV0kl6TU304+D6Q27/k+Yy99txwClD3ug9JeLMiZ0L
e2Sm/jkmPiivW68yV3Ipt800n8YB4SeEWJcOZH5E8MQyKX1DxAS28kG6XTU3CiCY
gQDhWKcTkdptA74pq836EypBw7zwK/qKI66PefHccAKRe5ckNzhmuOgHaD47wtzC
mxiKaTft883S8lidxVgbTa0pY22A1S8HlCxg56kStg2OHhwyPNSoasZJ4wkt95Ii
xQS6qH7uNfTxQmwVslY9uSgO7H5CTMQJHBUYlqWSNmAvD1cW7W7yPC1JKE1Y2Lbt
Fg859J7Z5kmMzCnXfVeNABEBAAGJASUEGAEIAA8FAlc7GcUCGwwFCQHhM4AACgkQ
yPo9gsexMm8Uegf/f3mcwyeCcBZB/i0yxqkjcHky8OL77lUyIznTXhngd6xxh/kz
OId4ixZ17LQSJfDINMZYMvC2YmlM8Q+RPcrVmtVGHlzGlDYziOb0GOX6ZZgi+uuI
pbRi6mXMXLBjdJ8Az6JhnZTEbcLX36C7PrsYy6Vf/mkJWQ9dXiiWStZFkwH+jhux
/5iEyzif4ufk2gMfaWE7pGO3PLewQyZYnvVBPmlb2EM7UbEXbKGjh0d0rwmljXBp
Nm93zwF0DIhmaAVOGNlteScjCo07LPcAcb3RZJu9MM3vlnOuRWDJGYEkkQzoOAOt
WARlwOYBOT7hp5sQKnwg2EKH+MF6yMu3HHso2rkBDQRX0gAxAQgA2f3oUu2g82tS
aGdq7/KMyM7cDGkM5mcUVsmKSyesPqlw7/3ZhPEzly1ehvzDt3KC5s6XtSCgnFEw
LH7akFG8ssmPnsB/fN7KZQiegK5acd5DcukznFBFWYOyYNi5Fwzu/y92TDAoQj/e
/QmYdYy6MG8HzD4h/OEkrUz7ChUE1iJrSVNrIGzPLqK2HeXf0h/agwGvG/bXf7JB
VmHKB5+gUFxh+pqP83bRniGyP3/Rb5YajFqAC/HCKUoJbGWrcpJyijcEi14pIZiv
MkMemtKSEnXyptMfnC6pWWPAZwoHpM7eQ0i/sA5z15C8XczBYaXEZmAJAgPy3NZd
nWPQ/voiLQARAQABiQElBBgBCAAPBQJX0gAxAhsgBQkDwmcAAAoJEMj6PYLHsTJv
IbYH/jHTL/FdzHKSA0REET3DDwrqbxFJbLQyXzKMipwIfhPo2kVhT6CB+pLJAurN
zVA9rm1IggAsdgeeDmxxdA3xHuouJ+vIfmKxqrrmJ/M7idyobbMM71isofR9eBKY
ZBy8TuId1UdyNG7g7DR4cfm3TrhU1dmfOt0Y9WtDu1OokWjhRjrHAVu/6m58r3G1
8RA6g26cbp7XG2Uxd7S43oIe0uYeGYGJTwKRbxFPPV55rrhUAlJCOW6o3xKUVmKu
u33TivQ1ySuHr4qMS64OfIYjYARDzIXKW+NZivwGe0x7IBwTleqanzip6s0VYTiC
8GqzXhfl9G+eoq42U15KQskVilg=
=34nH
-----END PGP PUBLIC KEY BLOCK-----
#+end_example
* import a public key
#+BEGIN_SRC sh :results output :exports both
gpg --import bransoj.gpg
#+END_SRC

#+RESULTS:

Once a key has been imported, you should validate it.

#+BEGIN_SRC sh :results output :exports both
gpg --edit-key johns@gnu.org
fpr
#+END_SRC

#+RESULTS:

This will output the key's fingerprint.  If johns@gnu.org if with you, he can tell you if the fingerprint is correct.  If it is,
then run the command ~sign~.

The command ~check~ will show you the signature that you added to the key.
* encrypting and decrypting documents

The basic scenario for two users to share a document is like this:

#+BEGIN_SRC emacs-lisp
gpg --output somefile.gpg --encrypt --recipient someEmail@hotmail.com somefile.txt
#+END_SRC

But you can also encrypt a document so 2 users can read it.  Like so:


#+BEGIN_SRC emacs-lisp
gpg --output somefile.gpg --encrypt --recipient someEmail@hotmail.com --recipient bransoj@hotmail.com somefile.txt
#+END_SRC

For every person that you need to encrypt a document, you just add a ~--recipient email~


To decrypt a document, use the following command

#+BEGIN_SRC emacs-lisp
gpg --decrypt --output file.txt doc.gpg
#+END_SRC
** symmetric encryption
* change default key...I've no idea how to do this.

My stupid hotmail key is so annoying.  It no longer works, but I have old documents that use it. grrr.

Basically I just made my hotmail key not expire ever.
* Making and validating signatures
A signature is a way to proving that a document has not been modified.  If I encrypt a document to you, I should also send a document.sig file that acts like a signature.  The signature, if it can be verified, proves that I sent the document, and whilst it was traveling to you, it has not changed.

BUT what if someone changes the document and the signature whilst it is being sent to someone?
* learn some gpg from this blog
https://sanctum.geek.nz/arabesque/series/gnu-linux-crypto/
https://riseup.net/en/security/message-security/openpgp/gpg-best-practices

https://www.reddit.com/r/GPGpractice/

* I can learn a lot of gpg from this gnome site
https://help.gnome.org/users/seahorse/stable/index.html.en

* create a new gpg key:

To do this: you need to create a gpg conf file. and ensure pinentry is
installed.
  
#+BEGIN_SRC sh
  cat /home/joshua/.gnupg/gpg-agent.conf
#+END_SRC

#+RESULTS:
default-cache-ttl 28800
# 8 hours
pinentry-program /home/joshua/.guix-profile/bin/pinentry-curses
allow-loopback-pinentry
# enable ssh support 
enable-ssh-support

* https://www.ryanlue.com/posts/2017-06-29-gpg-for-ssh-auth

* kill gpg agent
gpgconf --kill gpg-agent

* using gpg for ssh authentication linode
https://linode.com/docs/security/authentication/gpg-key-for-ssh-authentication/

good blog post too.
https://www.ryanlue.com/posts/2017-06-29-gpg-for-ssh-auth

You need to import the gpg key into ssh.

    vm2-$ gpg  --export-options export-reset-subkey-passwd,export-minimal,no-export-attributes --export-secret-subkeys 20EE3BF8 | openpgp2ssh 20EE3BF8 >  '.anishn'


#+BEGIN_SRC sh
  gpg -k --with-keygrip
#+END_SRC

#+RESULTS:
joshua@dobby ~/.gnupg$ gpg -k --with-keygrip
/home/joshua/.gnupg/pubring.kbx
-------------------------------
pub   rsa4096 2019-10-05 [SC]
      /secret/
      Keygrip = /secret/
uid           [ultimate] Joshua Branson <jbranso@dismail.de>
sub   rsa4096 2019-10-05 [E]
      Keygrip = 5B85A72E18EAFCD69C212494B1DC92BE77A5CB62

      
The keygrip is "5B85A72E1..."


Somehow to need to import the gpg key into ssh-agent.

#+BEGIN_SRC sh
echo 5B85A72E18EAFCD69C212494B1DC92BE77A5CB62 > ~/.gnupg/sshcontrol
#+END_SRC

When you have done so, verify that the key is there via:

ssh-add -L, which will list all of your keys.

Now you can add your gpg keys to your remote server with

#+BEGIN_SRC sh
  ssh-copy-id root@<ip address>
#+END_SRC

This will copy your gpg key to your remote server.  If the command
succeeds, then you can then use your ssh key log into the remote server!

* how to determine if gpg-agent is running:

=gpg-agent=

it will tell you.
* starting ssh agent
https://www.ssh.com/ssh/agent

* this seems like a good guide for getting gpg-agent to work as ssh-agent
https://incenp.org/notes/2014/gnupg-for-ssh-authentication.html
* vocab

    sec The master/primary secret key. Contains ( key size, keyid, creation date, expiration date and fingerprint)
    ssb Secret Subkeys. These can be your sub signing key, encryption key or authentication key. Users can have multiple subkeys
    uid User information associated with the secret key. You can have multiple uids.
    pub The following is public key Information
    sec# # after sec means that your secret key is missing from the machine contains a refrence
    ssb> > after ssb means that your subkeys are not the machine. Instead they are on a smartcard (YubiKube)
    sub your public subkey info.
* archlinux.org

https://wiki.archlinux.org/index.php/GnuPG#gpg-agent

#+BEGIN_SRC sh
  cat ~/.pam_environment
#+END_SRC

#+RESULTS:

#+BEGIN_SRC shell
ls
#+END_SRC

#+RESULTS:
* using gpg-agent to authenticate to servers with gpg keys

<mbakke> joshuaBPMan: so you have --enable-ssh-support in gpg-agent.conf, and
         "export SSH_AUTH_SOCK=$XDG_RUNTIME_DIR/gnupg/S.gpg-agent.ssh" in
         .bashrc?  [18:26]
* it may not be a good idea to use GPG for server authentication

ssh keys are used for server authentication.

gpg keys are used for signing commits and sending emails.
